Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-21-2022, 23:45
Doit Doit is offline
Friend
 
Join Date: Nov 2019
Location: The world
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 118
Thanks Rcvd at 1 Time in 1 Post
Doit Reputation: 0
Question Weird behavior in a patched program

Hi!
this is the first time I post a question in the forum, I hope to do it correctly.

I have patched a program, it enables or disables options depending on whether the license is activated or not, in this case the Export option, the strange thing is that it behaves differently depending on how you run it, I mean, if I start it from the debugger, the program works correctly and with the Export option enabled, but if I run it normally, it disables this option.

I would like to know why this is happening, because I have been patching programs for years and I have never encountered this problem before.

Thanks and excuse my English, it is not my language.
Reply With Quote
  #2  
Old 02-22-2022, 01:09
TmC TmC is online now
VIP
 
Join Date: Aug 2004
Posts: 314
Rept. Given: 1
Rept. Rcvd 14 Times in 8 Posts
Thanks Given: 2
Thanks Rcvd at 20 Times in 15 Posts
TmC Reputation: 14
The only things that come up to my mind are the following:

1. The program is checking for IsDebuggerPresent and acting accordingly (but if you've been patching programs for years, I believe that you already considered this option and most important, know how to fix it).
2. There are tricks to detect if the program is being started by windows or by another program and the software is acting accordingly.
3. There is some sort of exception that is caught by the debugger and not by the program. This way the program knows it is being debugged and might/might not do some operations.
Reply With Quote
The Following User Says Thank You to TmC For This Useful Post:
Doit (02-23-2022)
  #3  
Old 02-22-2022, 02:12
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 182
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 234
Thanks Rcvd at 134 Times in 63 Posts
Stingered Reputation: 2
Not sure I've heard of this one happening before.

1. Use ScyllaHide plugin to see if you can hide the debugger and check behavior.
2. Set debugger exception ignore range to: 00000000-99999999
3. Disable System BP and Entry BP to see if behavior changes inside debugger.
4. Create a loader to perform patch in-memory.

Research links:

https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software

https://anti-debug.checkpoint.com/

Last edited by Stingered; 02-22-2022 at 04:31.
Reply With Quote
The Following 2 Users Say Thank You to Stingered For This Useful Post:
Doit (02-23-2022), niculaita (02-22-2022)
  #4  
Old 02-22-2022, 06:07
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Posts: 42
Rept. Given: 0
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 39
Thanks Rcvd at 74 Times in 30 Posts
h4sh3m Reputation: 4
Hi

It might happens because :
1- your target is .NET file and your patched file has another copy in GAC folder (mostly dll files in this case)!

2- sometimes when you're patching files (dll files in .NET I mean) and just renaming original files, windows loader keep going to load original file (don't know why) so you just need to change original file's extension of re/move it solve problem.

3- in native files, sometimes you need to disable ASLR and/or relocation flag, also you need to use rva instead va to have better results (needs more steps but its better).

...

xyz- let me know if some parts (or all of them) is not correct


BR,
h4sh3m
Reply With Quote
The Following 2 Users Say Thank You to h4sh3m For This Useful Post:
Doit (02-23-2022), niculaita (02-22-2022)
  #5  
Old 02-23-2022, 01:48
Doit Doit is offline
Friend
 
Join Date: Nov 2019
Location: The world
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 118
Thanks Rcvd at 1 Time in 1 Post
Doit Reputation: 0
Thumbs up

Hi,
@TmC, that is the first thing I tried (IsDebuggerPresent), for the moment I have discarded it, although the program could check it from a file that I have not yet located.

@Stingered, I've tried all that. I'll take a look at those links.

@h4sh3m, In this case it is not a NET program, and I have also tried to deactivate ASLR with CFF, but with the same result.

I welcome any other suggestions, thanks.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 21:47.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2022 )